Passphrase and backend credentials can be retrieved easily by logging in to the Web UI, no matter where and how the local DB is stored.
To protect this information, don’t use the --webservice-interface=any to start the server and protect the Web UI with a password.